25% off all training courses Offer ends May 8, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 8, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

New Basic Guide to HIPAA Compliance Released By HHS

Posted By on Aug 5, 2015

The Department of Health and Human Services’ Office for Civil Rights has recently issued a basic guide to HIPAA compliance; a summary of HIPAA Rules for covered entities.

A Basic Guide to HIPAA Compliance

The Health Insurance Portability and Accountability Act (HIPAA) places a number of requirements on healthcare providers, health plans, healthcare clearinghouses, and Business Associates of HIPAA-covered entities, to safeguard data, protect the privacy of patients, and notify them of incidents that expose their Protected Health Information (PHI).

HIPAA legislation is complicated, and many covered entities, especially smaller healthcare providers, struggle to understand the HIPAA Privacy, Security, and Breach Notification Rules, and turn those rules into policies into procedures.

The Department of Health and Human Services’ Office for Civil Rights is the enforcer of HIPAA Rules, and while the agency investigates data breaches, it is also charged with improving understanding of data privacy and security legislation. One way it achieves this objective is by issuing guidance to help organizations understand how HIPAA applies in practice.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Recently the OCR, in conjunction with the Medicare Learning Network, has released new guidance covering the basics of HIPAA compliance, explaining the fundamentals of the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule, summarizing the main elements of each.

Basic Guide to HIPAA Compliance: Essential Elements of HIPAA Explained

The basic guide to HIPAA compliance condenses the main points of HIPAA into a 7-page document. It explains what Protected Health Information is, the organizations that must take steps to protect that information, and the timescales for reporting data breaches. It also includes useful quick references where covered entities can find out more information.

Often the basic elements of HIPAA Rules are not adhered to, leading to OCR financial penalties. While covered entities are not expected to prevent all unauthorized disclosures of PHI, they must implement appropriate protections to minimize the risk of patient privacy being violated.

During the pilot phase of the OCR HIPAA compliance audits, covered entries were assessed on compliance with Security and Privacy Rules. The results of those audits clearly demonstrated that the majority of audited entities had not implemented the minimum data security and privacy standards required by HIPAA.

Compliance with these rules is more important now than ever, with hackers and malicious insiders accessing, copying, and sharing patient data for financial gain like never before. Covered entities must repel these incessant attacks and keep ePHI secured; however, sooner or later one of those attacks will be successful. It is therefore essential that breach response policies are in place, and that they can be implemented immediately upon discovery of a data breach. The OCR appears to be concentrating on the breach response, to ensure that when ePHI is exposed, risk is mitigated quickly.

The Importance of a Fast, Efficient Breach Response

The OCR understands that even when protections are put in place, breaches can still be suffered. Financial penalties and corrective action plans are therefore not always necessary, but a failure to conduct a prompt breach response and mitigate risk is almost certain to result in action against the covered entity in question.

The breach response is not necessarily a quick process. When a hacker breaks through security defenses, it is not always clear which areas of a network have been accessed, the patient data that was potentially viewed or copied, and which patients are at risk of fraud and identity theft. Forensic investigations must be conducted, and all too often, a covered entity is required to draft, print, and mail millions of breach notification letters. This can take a considerable amount of time, and the 60-day time frame for alerting patients and reporting the incident elapses fast.

In the OCR basic guide to HIPAA compliance, covered entities are reminded of the timescales for responding to breaches. The reporting requirements included in the basic guide to HIPAA compliance have been detailed below:

HIPAA Breach Notification Deadlines

Provide Notification to…

Breaches involving fewer than 500 individuals

Breaches involving more than 500 individuals
Individuals No later than 60 days after discovery of a breach No later than 60 days after discovery of a breach
HHS Submit a log of all breaches once a year, no later than 60 days after the end of the calendar year At the same time as notice to individuals, no later than 60 days from discovery
Media N/A No later than 60 days from discovery

OCR Penalties for HIPAA Breach Notification Violations

A failure to execute a prompt breach response can result in financial penalties being issued by the OCR, State Attorneys General, and other government agencies. Under HIPAA (and HITECH) the penalties for breach notification violations can be severe. A fine of up to $1.5 million can be issued by the OCR, and state attorneys general can fine violators for failing to notify state residents within a reasonable time frame. Covered entities should note that delaying breach notices unnecessarily, even when the 60-day breach deadline is not exceeded, can also result in fines being issued. HIPAA legislation sets a deadline, but also states that notification letters must be sent “without unnecessary delay.”

Tier

Penalty
Covered entity did not know (and by exercising reasonable diligence would not have known) an act was a HIPAA violation. $100-$50,000 for each violation, up to a maximum of $1.5 million, per violation category, per calendar year.
Reasonable cause, yet not a result of willful neglect $1,000-$50,000 for each violation, up to a maximum of $1.5 million, per violation category, per calendar year.
A HIPAA violation resulted from willful neglect of HIPAA Rules, but the violation was corrected within the required time period. $10,000-$50,000 for each violation, up to a maximum of $1.5 million, per violation category, per calendar year.
The HIPAA violation was due to willful neglect and no effort was made to correct the issue. $50,000+ for each violation, up to a maximum of $1.5 million, per violation category, per calendar year.

Criminal penalties may be appropriate, such as when employees of HIPAA-covered entities improperly access ePHI. In recent months there appears to have been an increase in the number of individuals found to have accessed, disclosed, or used ePHI, and the Department of Justice is taking action. Violators of patient privacy can, and are, being sent to jail for HIPAA violations.

The criminal penalties permissible under HIPAA are indicated below:

HIPAA Criminal Penalties

Tier

Penalty
Unknowing violation or with reasonable cause Up to 1 year in jail
Access under false pretenses Up to 5 years in jail
Access for personal gain or with malicious intent Up to 10 years in jail

 

Any would-be data thief should note that while charges can be filed under HIPAA, potentially resulting in up to 10 years in prison, sentences may in fact be longer. Individuals found to have accessed and used PHI/PII may not necessarily be charged under HIPAA laws. Conspiracy to commit wire fraud, for instance, carries a maximum penalty of 20 years in prison, while aggravated identity theft carries a mandatory 2-year term in jail, which must run consecutively to any sentence issued.

HIPAA Sets Minimum Standards: State Laws May Set Stricter Breach Reporting Standards

HIPAA legislation is periodically updated, but state laws change much more frequently. Over the past 12 months, a number of states have introduced even tougher data breach laws, requiring HIPAA-covered entities, and other holders of sensitive data, to notify breach victims faster. Risk mitigation strategies are also now covered by certain state data breach laws, and organizations and individuals that expose data are required to take greater precautions to keep state residents protected.

Compliance with HIPAA Rules may not be sufficient to avoid data breach fines, so it is essential that CISOs, CIOs and IT professionals keep up to date with state data breach legislation updates.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist